diff --git a/README.md b/README.md index a9490a9..a1da921 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,9 @@ Puppetforge: https://forge.puppetlabs.com/HEPPuppet/htcondor 2. [Module Description - What does the module do?](#module-description) 3. [Setup - The basics of getting started with htcondor](#setup) 4. [Singularity container support](#singularity) -5. [Limitations - OS compatibility, etc.](#limitations) -6. [Development - Guide for contributing to the module](#development) +5. [Kerberos authentication support](#kerberos) +6. [Limitations - OS compatibility, etc.](#limitations) +7. [Development - Guide for contributing to the module](#development) * [Contributing to the htcondor module](#contributing) * [Running tests - A quick guide](#running-tests) @@ -95,6 +96,20 @@ The same holds for setting `SINGULARITY_HOME`: This ensures non-interactive jobs The Image may also be an expression to allow for user configuration, more details on that are provided in the [HTCondor documentation](https://research.cs.wisc.edu/htcondor/manual/latest/3_17Singularity_Support.html). +## Kerberos +The module provides support for Kerberos auth, to the extent to which this is implemented in HTCondor. + +Example configuration parameters could be: +``` +use_kerberos_auth => true, +krb_srv_keytab => '/etc/condor/condor.keytab', +krb_srv_principal => 'condor-daemon/$(FULL_HOSTNAME)@MYREALM', +krb_srv_user => 'condor-daemon', +use_krb_map_file => true, +krb_mapfile_entries => {'REALM1' =>'realm1', 'REALM2' => 'realm2'}, +``` +This will deploy a map file containing the entries listed in the `krb_mapfile_entries` hash. The keytab, however, is not deployed through this module and has to be placed to a path corresponding to `krb_srv_keytab`, with the appropriate owner and mode. + ## Limitations ### General diff --git a/files/examples/kerberos_mapfile b/files/examples/kerberos_mapfile deleted file mode 100644 index cc51a1f..0000000 --- a/files/examples/kerberos_mapfile +++ /dev/null @@ -1 +0,0 @@ -KERBEROS.REALM = htcondor.domain \ No newline at end of file diff --git a/manifests/config/security.pp b/manifests/config/security.pp index 752e9c0..1270113 100644 --- a/manifests/config/security.pp +++ b/manifests/config/security.pp @@ -1,4 +1,12 @@ -class htcondor::config::security { +class htcondor::config::security ( + $krb_srv_keytab = $htcondor::krb_srv_keytab, + $krb_srv_principal = $htcondor::krb_srv_principal, + $krb_srv_user = $htcondor::krb_srv_user, + $krb_srv_service = $htcondor::krb_srv_service, + $krb_client_keytab = $htcondor::krb_client_keytab, + $krb_mapfile_entries = $htcondor::krb_mapfile_entries, +) +{ # general - manifest or 1 or more configs $condor_user = $htcondor::condor_user $condor_group = $htcondor::condor_group @@ -21,7 +29,7 @@ $use_krb_map_file = $htcondor::use_krb_map_file $krb_map_file = $htcondor::krb_map_file - $krb_map_file_source = $htcondor::krb_map_file_source + $krb_map_file_template = $htcondor::krb_map_file_template $ssl_server_keyfile = $htcondor::ssl_server_keyfile $ssl_client_keyfile = $htcondor::ssl_client_keyfile @@ -108,10 +116,10 @@ if $use_kerberos_auth { if $use_krb_map_file { file { $krb_map_file: - ensure => present, - source => $krb_map_file_source, - owner => $condor_user, - group => $condor_group, + ensure => present, + content => template($krb_map_file_template), + owner => $condor_user, + group => $condor_group, } } } diff --git a/manifests/init.pp b/manifests/init.pp index 960000c..6ab6a30 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -197,7 +197,13 @@ $cert_map_file = $htcondor::params::cert_map_file, $cert_map_file_source = $htcondor::params::cert_map_file_source, $krb_map_file = $htcondor::params::krb_map_file, - $krb_map_file_source = $htcondor::params::krb_map_file_source, + $krb_map_file_template = $htcondor::params::krb_map_file_template, + $krb_srv_keytab = undef, + $krb_srv_principal = undef, + $krb_srv_user = undef, + $krb_srv_service = undef, + $krb_client_keytab = undef, + $krb_mapfile_entries = {}, $ssl_server_keyfile = $htcondor::params::ssl_server_keyfile, $ssl_client_keyfile = $htcondor::params::ssl_client_keyfile, $ssl_server_certfile = $htcondor::params::ssl_server_certfile, diff --git a/manifests/params.pp b/manifests/params.pp index 5e915b0..fba27ec 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -119,7 +119,7 @@ ) $krb_map_file = hiera('krb_map_file', '/etc/condor/kerberos_mapfile' ) - $krb_map_file_source = hiera('krb_map_file_source', "puppet:///modules/${module_name}/kerberos_mapfile" + $krb_map_file_template = hiera('krb_map_file_template', "${module_name}/mapfile.kmap.erb" ) $machine_list_prefix = hiera('machine_list_prefix', 'condor_pool@$(UID_DOMAIN)/' ) diff --git a/templates/10_security.config.erb b/templates/10_security.config.erb index fed3fe6..1ebe6f4 100644 --- a/templates/10_security.config.erb +++ b/templates/10_security.config.erb @@ -97,6 +97,21 @@ SEC_ENABLE_MATCH_PASSWORD_AUTHENTICATION = True <% if @use_krb_map_file then -%> KERBEROS_MAP_FILE = <%= @krb_map_file %> <% end -%> +<% if (defined?(@krb_srv_keytab)) then -%> +KERBEROS_SERVER_KEYTAB = <%= @krb_srv_keytab %> +<% end -%> +<% if (defined?(@krb_srv_principal)) then -%> +KERBEROS_SERVER_PRINCIPAL = <%= @krb_srv_principal %> +<% end -%> +<% if (defined?(@krb_srv_user)) then -%> +KERBEROS_SERVER_USER = <%= @krb_srv_user %> +<% end -%> +<% if (defined?(@krb_srv_service)) then -%> +KERBEROS_SERVER_SERVICE = <%= @krb_srv_service %> +<% end -%> +<% if (defined?(@krb_client_keytab)) then -%> +KERBEROS_CLIENT_KEYTAB = <%= @krb_client_keytab %> +<% end -%> <% end -%> <% if @use_password_auth then -%> SEC_PASSWORD_FILE = /etc/condor/pool_password diff --git a/templates/mapfile.kmap.erb b/templates/mapfile.kmap.erb new file mode 100644 index 0000000..0c4c446 --- /dev/null +++ b/templates/mapfile.kmap.erb @@ -0,0 +1,5 @@ +<% if @krb_mapfile_entries.any? -%> +<% @krb_mapfile_entries.each do |realm, domain| -%> +<%=realm -%> = <%=domain %> +<% end -%> +<% end -%>